Mass Scanning

Analysis of a number of compromised honeypots suggests that the systems were being attacked using automated attack scripts or exploits, often known as autorooters. In both the incidents described in phishing technique one above, once the attackers had compromised the honeypots, autorooter toolkits were uploaded to the server. The attackers then attempted to scan large ranges of IP addresses for similarly vulnerable servers (using scanners called "superwu" in the German incident and "mole" in the UK incident). Captured attacker keystrokes from the UK incident are show below, showing examples of the types of mass scanning activity attempted from compromised honeypots. Note that due to the honeynet configuration, hostile outbound traffic was blocked and these attacks did not succeed.

Attacker extracts scanner and attempts to scan class B network blocks:

[2004-07-18 15:23:31 bash 0]tar zxvf mole.tgz
[2004-07-18 15:23:33 bash 0]cd mole
[2004-07-18 15:23:38 bash 0]./mazz 63.2
[2004-07-18 15:24:04 bash 0]./mazz 207.55
[2004-07-18 15:25:13 bash 0]./scan 80.82

Attacker attempts to exploit potentially vulnerable servers:

[2004-07-19 11:56:46 bash 0]cd mole
[2004-07-19 11:56:50 bash 0]./root -b 0 -v ns1.victim.net
[2004-07-19 11:57:26 bash 0]./root -b 0 -v 66.90.NNN.NNN

Attacker returns later to check list of successfully compromised servers (the list was empty, due to the honeynet configuration):

[2004-07-23 08:13:18 bash 0]cd mole
[2004-07-23 08:13:20 bash 0]ls
[2004-07-23 08:13:25 bash 0]cat hacked.servers

Attacker attempts to scan multiple class B network blocks and then test an exploit against a selection of targets:

[2004-07-24 10:24:17 bash 0]cd mole
[2004-07-24 10:24:19 bash 0]./scan 140.130
[2004-07-24 10:24:27 bash 0]./scan 166.80
[2004-07-24 10:25:36 bash 0]./scan 166.4
[2004-07-24 10:26:23 bash 0]./scan 139.93
[2004-07-24 10:27:18 bash 0]./scan 133.200
[2004-07-24 10:36:37 bash 0]./try 202.98.XXX.XXX
[2004-07-24 10:38:17 bash 0]./try 202.98.YYY.YYY
[2004-07-24 10:38:27 bash 0]./try 202.98.YYY.YYY

In the final example above, note that the hosts that the attacker attempts to compromise are not part of the IP address ranges scanned from this honeypot, which again provides evidence of well coordinated and parallel mass scanning activity.

Further investigation of the mole.tgz file downloaded by UK attackers revealed a number of text files in the root directory of the unpacked autorooter toolkit. These files included scan configurations and logs of previous scanning activity for the "grabbb2.x and samba2.2.8 vulnerability". 42 cases of attacks against other hosts were present in these files, along with evidence of mass scanning of many class B network blocks, confirming that the observed incident was part of larger and more organised attack against similar systems. An example of the output from the mole scanning tool, viewed from an attacker's perspective, can be found here.

Finally, some of the mass scanning tools recovered from compromised honeypots do not appear to be in popular circulation, which suggests that the attackers had some level of development and tool smith capabilities beyond basic script kiddy activity, or were part of a closed community that did not share their tools in public forums. Again, this suggests more organised attackers.